A 2020 investigation coordinated by the Business & Human Rights Resource Centre
found that five Jordanian internet service providers were collecting intrusive user
information - beyond what is necessary for service provision - without
adequately disclosing this practice to their subscribers or obtaining informed consent.
The providers identified in the investigation included Orange Jordan, Zain Jordan,
and Umniah among the country’s primary market participants. The data collection
practices documented went beyond routine network management and billing data to encompass
behavioral and usage information that would enable detailed subscriber profiling.
The Ministry of Digital Economy and Entrepreneurship (MoDEE) acknowledged in its public
communications that data privacy was a national priority and that the development of
a personal data protection framework was under consideration. However, Freedom House’s
2024 “Freedom on the Net” assessment of Jordan continued to document concerns
about ISP data collection practices and government access to subscriber information,
indicating that the structural issues identified in 2020 had not been resolved by
legislative or regulatory intervention in the intervening four years. Jordan’s
constitutional Article 18 privacy protections, while providing a normative basis for
challenging ISP data collection, have not been enforced through any mechanism that
constrained the documented practices.
## Key Facts
- .**What:** Five Jordanian ISPs collected intrusive user data without consent.
- .**Who:** Subscribers of Orange Jordan, Zain Jordan, Umniah, and two other ISPs.
- .**Data Exposed:** Browsing histories, app usage, behavioral profiles, and subscriber identities.
- .**Outcome:** No penalties imposed; Jordan lacks enforceable data protection legislation.
## What Was Exposed
- .Browsing histories, application usage data, and internet behavioral profiles of subscribers at five Jordanian ISPs, collected without subscriber knowledge or consent
- .Usage metadata beyond what is necessary for network management: detailed records of subscriber communication patterns, application preferences, and online activities
- .Subscriber identification data linked to behavioral profiles, enabling the association of specific individuals with their internet activity histories
- .Data collected without disclosure that may have been shared with government agencies, third-party advertisers, or data brokers - the investigation did not establish the full scope of data sharing arrangements
- .Potentially deep packet inspection (DPI) data if providers employed traffic analysis technologies that examine the content of communications beyond header metadata
- .The aggregate subscriber data of three of Jordan’s largest operators - Orange, Zain, and Umniah - which between them serve the vast majority of Jordan’s internet subscribers
The term “intrusive user data collection” encompasses a spectrum of practices
that go beyond what a subscriber would reasonably expect their ISP to collect in the
course of providing connectivity services. At one end of this spectrum are practices like
retaining detailed web browsing histories, DNS query logs, and application-level traffic
records beyond the period necessary for billing or network troubleshooting. At the more
invasive end are practices involving deep packet inspection (DPI) technology -
systems that analyze the content of network traffic, not merely its metadata -
enabling ISPs to reconstruct subscriber browsing behavior, intercept unencrypted
communications, and build profiles of subscriber interests and activities with a
granularity that no subscriber would expect or consent to.
Jordan’s legal framework for ISP data collection creates a permissive environment
for surveillance-grade data retention. The Cybercrime Law (both the 2015 predecessor
and the 2023 successor) contains provisions requiring ISPs to retain traffic data for
defined periods to support law enforcement investigations. The Telecommunications Law
creates licensing obligations that include cooperation with security and intelligence
agencies. These legal requirements create a baseline of data retention that serves
law enforcement objectives - but they do not limit what ISPs may additionally
collect for commercial or other purposes, nor do they require that subscribers be
informed of the full scope of data retention and potential disclosure.
The three named ISPs - Orange Jordan, Zain Jordan, and Umniah - together
account for the substantial majority of Jordan’s internet subscribers across
both mobile broadband and fixed-line connectivity. Orange Jordan, as the former state
monopoly incumbent, holds the largest share of fixed-line and broadband subscribers.
Zain Jordan is the Jordanian subsidiary of the Kuwaiti-headquartered Zain Group and
serves a large mobile subscriber base. Umniah is the third major mobile operator,
majority owned by Bahrain’s Batelco. All three are international corporations
with parent companies headquartered in jurisdictions with more developed data protection
frameworks than Jordan currently provides - a parent-subsidiary regulatory arbitrage
that allows practices in Jordan that would not be permissible under the frameworks
governing their parent companies.
The Freedom House 2024 assessment of Jordan’s internet freedom includes documentation
of ongoing concerns beyond ISP data collection: website blocking, social media monitoring,
arrests of users for online expression, and the use of the Cybercrime Law No. 17/2023
to prosecute speech-related online activity. The data collection practices of ISPs
exist within this broader digital rights environment, where the data accumulated about
subscribers’ online activities may be accessed by authorities to support
investigation of Cybercrime Law offenses that include the publication of content
deemed to “provoke sedition” or undermine national unity. The intersection
of commercial data collection practices with law enforcement access provisions creates
a surveillance infrastructure in which ISPs serve as both commercial data processors
and instruments of state monitoring.
The acknowledgment by MoDEE that data privacy is a national priority, made in the
context of the 2020 investigation, was not accompanied by specific regulatory action
against the ISPs identified in the investigation or by the enactment of the personal
data protection legislation that would have provided the enforcement mechanism for
addressing the documented practices. This gap between policy acknowledgment and
legislative action is characteristic of Jordan’s data protection trajectory:
the country has repeatedly signaled its intention to develop a comprehensive personal
data protection law without completing the legislative process. The National Cybersecurity
Strategy 2024-2028 reaffirms this intention, but the absence of an enacted law
means that ISPs continue to operate in an environment without binding transparency
or consent requirements for their data collection practices.
## Regulatory Analysis
The regulatory analysis of Jordan’s ISP data collection practices requires
engagement with three distinct legal frameworks: the constitutional privacy guarantee,
the telecommunications licensing regime, and the cybercrime law. None of these frameworks
individually provides a comprehensive basis for compelling ISPs to limit their data
collection to what is necessary and disclosed - but together they create a normative
architecture that a properly empowered enforcement body could use to address the practices
documented in the 2020 investigation.
Article 18 of Jordan’s Constitution provides that all postal, telegraphic, and
telephonic communications are secret and shall not be subject to surveillance except
by judicial order. Applied to internet communications - which the constitutional
drafters could not have anticipated but which represent the primary communication medium
of contemporary Jordanian life - Article 18 establishes a privacy baseline that
ISP behavioral data collection without subscriber consent arguably violates. The collection
of detailed browsing histories and usage profiles constitutes a form of continuous
surveillance of subscriber communications that goes beyond routine service provision
and engages the constitutional privacy interest. However, without a constitutional
court with the mandate to receive complaints from affected subscribers and issue binding
rulings against ISPs, Article 18’s application to ISP data collection remains
a theoretical legal argument rather than an enforceable right.
The Telecommunications Regulatory Commission (TRC) licenses Jordan’s ISPs and
has the authority to impose conditions on licensed operators, including conditions
related to subscriber privacy and the scope of data collection. The TRC’s
existing license conditions require operators to protect subscriber confidentiality
in the context of law enforcement access - establishing procedures for government
requests for subscriber data - but do not include conditions requiring operators
to limit commercial data collection to what is necessary for service provision or to
disclose their data collection practices to subscribers in accessible terms. A TRC
regulatory intervention requiring ISPs to publish clear, detailed privacy notices
and to limit data collection to specified categories with specified retention periods
would address the disclosure gap identified in the 2020 investigation without waiting
for the enactment of standalone personal data protection legislation.
Jordan’s Cybercrime Law No. 17/2023 explicitly requires ISPs to retain certain
categories of traffic data and to provide access to authorities upon lawful demand.
These obligations represent the floor of ISP data retention, not the ceiling. There
is nothing in the 2023 law that authorizes ISPs to collect data beyond what law
enforcement retention requirements mandate - but equally nothing that prohibits
it. The absence of a data minimization principle in the applicable legal framework
means that ISPs face no legal constraint on collecting additional data for commercial
purposes, provided they do so within the general terms of their licensing agreements
and subscriber contracts. This permissive environment is precisely the gap that a
Personal Data Protection Law with data minimization and purpose limitation principles
would close.
## What Should Have Been Done
Addressing Jordan’s ISP data collection problem requires simultaneous action at
three levels: mandatory legislative standards that define what ISPs may collect and
how they must disclose it, regulatory enforcement by the TRC and MoDEE using existing
licensing authority, and industry self-regulatory commitments that demonstrate good
faith engagement with subscriber privacy expectations. The MoDEE’s acknowledgment
that data privacy is a national priority creates a public commitment that should be
translated into concrete regulatory action.
At the legislative level, Jordan’s long-pending Personal Data Protection Law
must include specific provisions for the telecommunications and ISP sector. These should
include a data minimization principle requiring ISPs to collect only the data necessary
for the provision of contracted services and compliance with lawful data retention
orders; a purpose limitation principle restricting the use of collected data to the
specific purposes for which it was collected; mandatory privacy notices at the point
of subscription explaining in plain language what data is collected, for what purposes,
with whom it is shared, and for how long it is retained; and an individual right to
access personal data held by the ISP and to request its deletion where retention is
not legally required. These principles are established international standards,
reflected in the OECD Privacy Guidelines, the GDPR, and numerous national data
protection laws enacted by Jordan’s regional peers.
The TRC should exercise its existing licensing authority to require immediate
transparency improvements from licensed operators. A TRC guidance note requiring
all ISPs to publish accessible privacy notices describing their data collection
practices - including any behavioral profiling, DPI deployment, or data
sharing arrangements with third parties or government agencies - would
address the most immediate disclosure gap without waiting for standalone legislation.
ISPs that fail to publish compliant privacy notices within a defined compliance
window should face license condition enforcement action. This regulatory intervention
is within the TRC’s existing powers and does not require new legislation,
making it the most immediately actionable response to the documented practices.
ISPs themselves should implement privacy-by-design principles in their data management
architectures, treating the minimization of personal data collection as a design
requirement rather than a compliance afterthought. This includes technical controls
that prevent the collection of data beyond what is specified in documented retention
policies, automated deletion of data upon expiry of its retention period, segregation
of law enforcement retention data from commercial operations data, and annual
privacy impact assessments for any new data processing initiative. For ISPs with
parent companies headquartered in the EU or other jurisdictions with established
data protection standards, the group-level policies of the parent should set a
floor for data protection practices in Jordan that meets or exceeds the parent’s
domestic obligations, not a ceiling that is selectively applied only where legally
required.
Five years after the 2020 investigation documented ISP data collection practices
that violated the spirit of Jordan’s constitutional privacy guarantee, the
structural conditions that enabled those practices remain in place - the absence
of a Personal Data Protection Law, the absence of an independent data protection
authority, and the absence of effective TRC enforcement of subscriber privacy
rights collectively ensure that Jordan’s internet users remain without
meaningful protection against surveillance-grade data collection by their own
service providers.